top of page

NIS2 Directive: Safeguarding Critical Operations and Avoiding Penalties

  • Writer: Cytopus
    Cytopus
  • Mar 6
  • 4 min read
How does NIS2 benefit your business and can be costly if one neglects it?

NIS2 took effect across the EU from 18th October 2024, but what does it actually mean to businesses and the cybersecurity digital market landscape overall? In this article, we will make a brief introduction to the NIS2 and discuss what financial effects it has on the industry.


What is NIS2 and What Does It Bring?

NIS2 or (Directive (EU 2022/2555) is an updated version of the Network and Information Systems Directive (NIS-D) initially introduced in 2016 by the European Union. It is designed to ensure higher cybersecurity across critical infrastructure sectors, increase resilience to cyber attacks, and protect the EU’s digital economy.

Moreover, new measures were implemented within an updated version (NIS2), expanding its scope and strengthening requirements for better addressing evolving cyber threats. These measure’s main goal - is to protect network and information systems, as well as to prevent or minimize the impact of incidents on interconnected services and service recipients.


  • The broader Scope of the NIS2 Directive includes:

    • Postal and courier service

    • Research

    • Digital services

    • Food production processing & distribution

    • Digital service providers

    • Manufacture, distribution, and production of chemicals

    • Providers of public electronic communications networks or services

    • Manufacture of certain critical products

    • Waste water and waste management

    • Public administration

    • Space


However, it is not the only update it brings.

  • Focus on (ICT) Supply Chain Security: Emphasize managing risk associated with service providers and suppliers.

  • More Severe Penalties: Compliance's neglect will result in significant fines or operational restrictions, similar to the financial penalties under GDPR.

    • For essential entities: There will be administrative fines of a maximum of at least €10 million or at least 2% of the total worldwide annual turnover, whichever amount is higher.

    • For important entities: Administrative fines of a maximum of at least €7 million or a maximum of at least 1.4% of the total worldwide annual turnover, whichever is higher.

  • Stronger Governance: Entities must designate responsible cybersecurity officers and ensure the implementation of robust policies, training, and audits.

  • Increased Accountability and Collaboration: Introduces management liability for ensuring compliance. Establishes stricter cooperative and information-sharing mechanisms between member states and EU institutions.

  • Stricter Incident Reporting Rules: Entities must follow rigorous timelines and detailed procedures for notifying Computer Security Incident Response Teams (CSIRTs) and, in some cases, service recipients. In addition to that, it is compulsory to include an early warning within 24 hours of detection.


Is your Business in the Scope of the NIS2 or It Aligns in Exemptions of the Directive?

With a basic logic, the NIS2 Directive applies to companies that provide essential services in sectors that are critical to the society and EU's economy. There are three types of companies that align within NIS2:

  • Essential Entities: These are organizations, that operate in sectors critical to the functioning of society and the economy:

    • Energy (electricity, oil, gas)

    • Transport (air, rail, sea)

    • Banking and Financial Market Infrastructures

    • Health (medical services, hospitals)

    • Drinking Water

    • Digital Infrastructure (data centers, cloud services, etc.)

  • Important Entities: These are organizations that are not classified as compulsory, but will play a significant role in the economy:

    • Digital Service Providers (e-commerce platforms, online marketplaces, etc.)

    • Public Administration Entities

  • Service Providers: These are organizations that provide services to essential entities.


Exceptions:

  1. Small and Medium-Sized Enterprises (SMEs): It is most likely that SMEs will be exempt from certain NIS2 obligations, but it depends on the specific country's implementation of NIS2 and the nature of the services offered.

  2. Low-Risk Organizations: Those entities that present minimal risk to the economy or society might be excluded from particular NIS2 requirements, especially in terms of incident reporting or security measures.

  3. Non-EU Entities: Companies outside of the European Union that do not offer any services or do not operate within the EU may not be required to comply with NIS2.


Steps for Implementing the NIS2 Directive

  1. Check if NIS2 applies to your organization: It is imperative to identify whether your business is covered by NIS2, including its exemptions, its classification as "important" or "essential", and how it impacts your cybersecurity compliance efforts.

  2. Understand the legislation of the Member States: Analyze the jurisdictional rules of NIS2, since in some cases it is important to take into consideration the need to designate a local representative if your organization is not EU-based but operates in the EU.

  3. Review Incident Response Plans: Daily evaluate your incident response plan, to ensure that it is up-to-date with evolving threats, aligns with NIS2, and includes clear communication and roles for effective breach management.

  4. Examine Third-Party Risk Management (TPRM): Ensure your TPRM procedure is regularly updated, aligned with NIS2, and robust to mitigate potential risks from vendors and third parties.

  5. Comprehend other relevant EU cyber-sec laws: Since NIS2 is a part of the EU cyber framework, it is essential to understand how it integrates with other data protection and cybersecurity laws, such as CRA and DORA.


How Cytopus can Help you with NIS2 Implementation?

  • Compliance Assessment and Gap Analysis: We will identify the gaps between your existing cybersecurity policies and the requirements not only of NIS2 but also of DORA, CRA, and GDPR. On top of that, we will conduct an assessment to determine whether your organization falls under the scope of NIS2.

  • Develop and Test Incident Response Plans: Help you build and regularly test comprehensive incident response plans to prepare for and mitigate the impact of cybersecurity incidents.

  • Business Continuity and Disaster Recovery Plans (BCP/DRP): Cytopus will ensure your BCP and DRP are aligned with NIS2's implications and best practices for the security of your business.

  • Monitoring and Reporting: Our experts will implement advanced monitoring and incident reporting solutions, which we will make sure to be ongoing within NIS2 compliance.

bottom of page